Posts by Dominique Brulé

Blogger profile: Dominique Brulé

Works in Marketing for NFC at Gemalto. Blogs on all matters NFC, TSM and ecosystems. Lucky to live in Nice, not only for the sunshine but also to be among the first regular NFC phone users in the world.

Posts navigation

From Twitter

Subscribe to updates

Select a category of interest:

Enter your email address:

Delivered by FeedBurner. Submitting this form will open a popup window to the FeedBurner website.

Latest comments

27/08/19 @ 11:08Lambert JeanHi Alexandros,
Many thanks for the interest you show on our blog, and on PSD2 in general.
About SMS OTP, we of course refer to June 2019’s EBA Opinion Paper, that actually mention it as relevant Possession factor (Table 2, Page 7). Our interpretation on how EBA supports (or does not!) SMS OTP is based on our analyzes of this process’ vulnerability, and the many references of the texts to end to end security of the authentication elements. As a matter of fact, when EBA published its first opinion in June 2018, demonstrating that the current practices with SMS OTP were at least not sufficient to comply, many banks considered it as a severe warning against SMS OTP. This interpretation was also shared by ECSG, the “European Cards Stakeholders Group”, strongly in favor of SMS, in its discussion with EBA. ECSG however always considered evolving to biometrics, for instance, as a must for the future.
In summary SMS OTP is seen as an acceptable solution, but EBA however underlines its limits:
• It is only one factor (“possession”) and a 2nd factor is needed. On medium term, the usage of SMS OTP without, for instance, an additional password, would have to be reconsidered…
• Other security concerns (integrity, confidentiality, SIM swapping…) that we often pointed as risky, even if not emphasized in the paper, are frequently mentioned in various EBA’s texts.
At the end of day, it seems now that there is a consensus to say that
• SMS is not satisfying, and should at least evolve, possibly be replaced by other methods, and/or be reserved for categories of customers that cannot be reached in another way (Thales/Gemalto message for years already!)
• But considering its wide deployment, its acceptance by customers and merchants, and its actual good impacts on fraud, this evolution would take time. That is precisely what the NCAs prepare to do proposing “migration paths” that will be formalized in the next weeks or months, as allowed by EBA in this year’s opinion paper.
Your vision “although SMS OTP solution has vulnerabilities, if you connect this solution with a knowledge element (like PIN or password) then you can manage 2FA and SCA”, is a valid approach and I assume it should be backed by NCAs for the short-medium term. But at longer term, in the competition landscape, and to improve the customers’ security, we still say that it should rapidly evolve, and many banks are already in this perspective.